[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A Look In the Mirror: Attacks on Package Managers

Russ Allbery <rra@debian.org> writes:

> There was some discussion of periodically resigning the security archive
> even if there are no updates so that package managers could warn if more
> than X days had gone by without an update to the security archive
> signatures.  I don't know if anyone has concrete plans to implement that.

The Release file in the repository has now a Valid-Until field that
invalidates the repository after some time without updates. This can be
used to detect a mirror provided outdated packages.

I am not sure whether APT checks this or not. I hope it does.


Reply to: